Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialJoachim McClain
1,278 PointsRails 4 Strong Parameters don't seem to be protecting my app...
Rails 4 Strong Parameters don't seem to be protecting my app...
The oddity is that it is not throwing an exception when a user submits a form with user_id. Shouldn't it fail? Why isn't it?
Am running rails 4.0.2 and ruby 2.1.0
Cheers
Joa
Here's the application_controller...
```class ApplicationController < ActionController::Base before_filter :configure_permitted_parameters, if: :devise_controller? # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception
protected
def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :first_name << :last_name << :profile_name devise_parameter_sanitizer.for(:account_update) << :first_name << :last_name << :profile_name end end```
Here's the statuses_controller...
```class StatusesController < ApplicationController before_action :set_status, only: [:show, :edit, :update, :destroy]
# GET /statuses # GET /statuses.json def index @statuses = Status.all end
# GET /statuses/1 # GET /statuses/1.json def show end
# GET /statuses/new def new @status = Status.new end
# GET /statuses/1/edit def edit end
# POST /statuses # POST /statuses.json def create @status = Status.new(status_params)
respond_to do |format|
if @status.save
format.html { redirect_to @status, notice: 'Status was successfully created.' }
format.json { render action: 'show', status: :created, location: @status }
else
format.html { render action: 'new' }
format.json { render json: @status.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /statuses/1 # PATCH/PUT /statuses/1.json def update respond_to do |format| if @status.update(status_params) format.html { redirect_to @status, notice: 'Status was successfully updated.' } format.json { head :no_content } else format.html { render action: 'edit' } format.json { render json: @status.errors, status: :unprocessable_entity } end end end
# DELETE /statuses/1 # DELETE /statuses/1.json def destroy @status.destroy respond_to do |format| format.html { redirect_to statuses_url } format.json { head :no_content } end end
private # Use callbacks to share common setup or constraints between actions. def set_status @status = Status.find(params[:id]) end
# Never trust parameters from the scary internet, only allow the white list through.
def status_params
params.require(:status).permit(:content)
end
end```
and here's the _form.html.erb
```<%= simple_form_for @status do |f| %> <% if @status.errors.any? %> <div id="error_explanation"> <h2><%= pluralize(@status.errors.count, "error") %> prohibited this status from being saved:</h2>
<ul>
<% @status.errors.full_messages.each do |msg| %>
<li><%= msg %></li>
<% end %>
</ul>
</div>
<% end %> <%= f.input :user_id %> <%= f.input :content %> <div class="form-actions"> <%= f.button :submit, class: "btn btn-info" %> </div> <% end %>```
1 Answer
Joachim McClain
1,278 PointsOh wow my markdown has not worked at all... Sorry. Hope it all still makes sense. Cheers Joa